Section I:Information Security and Privacy Program Oversight and Reporting Requirements

The following section provides agencies with quarterly and annual FISMA metrics reporting guidelines that serve two primary functions:

1) to ensure agencies are implementing Administration priorities and cybersecurity best practices, and

2) to provide OMB with the data necessary to perform relevant oversight and address risks through an enterprise-wide lens.

The existing data collection process continues to inform policy, allows for the performance of targeted oversight, and directs the prioritization of cybersecurity and privacy activities. Agencies will continue to move toward automated data collection and the adoption of a Federal Continuous Diagnostics and Mitigation (CDM) Dashboard, which will begin replacing the current data collection process.

In FY 2016, the FISMA metrics were aligned to the five functions outlined in the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Identify, Protect, Detect, Respond, and Recover. The NIST Cybersecurity Framework is a risk-based approach to managing cybersecurity, which is recognized by both government and industry and provides agencies with a common structure for identifying and managing cybersecurity risks across the enterprise. Additionally, OMB worked with DHS, the Federal Chief Information Officer (CIO) Council, and the Council of Inspectors General on Integrity and Efficiency to ensure both the CIO metrics and Inspectors General metrics align with the Cybersecurity Framework and provide complementary assessments of the effectiveness of agencies’ information security programs.

Federal agencies are to report all of their cybersecurity performance information through DHS’s CyberScope reporting system. Agencies shall adhere to the following reporting requirements and timelines:

FY 2016 Annual FISMA Reporting Deadline:

Annual FISMA Report: All Federal agencies, including small and independent agencies, shall report on their performance against the Annual FY 2016 FISMA CIO, Inspector General, and Senior Agency Official for Privacy (SAOP) metrics by November 10, 2016.

FY 2016 Agency Reports to OMB and Congress

In accordance with FISMA 2014 (44 U.S.C. § 3554), agencies shall submit an annual report to OMB and DHS; the Committees on Oversight and Government Reform, Homeland Security, and Science, Space, and Technology of the House of Representatives; the Committees on Homeland Security and Government Affairs; and Commerce, Science, and Transportation of the Senate; the appropriate authorization and appropriations committees of Congress; and the Comptroller General.

While agencies must submit their data to OMB by November 10, 2016, agency reports are due to Congress by March 1, 2017. OMB does not review or clear these reports, and agencies should not wait for any such clearance process. Instead, agencies should submit their reports to Congress once they are complete.

Agency Letter - In addition to the aforementioned metrics, agencies must submit a signed letter, marked Controlled Unclassified Information (CUI) if there are specific incident details, from the head of the agency. This letter should provide a comprehensive overview reflecting the agency head’s assessment of the adequacy and effectiveness of his or her agency’s information security policies, procedures, practices, and include the following details regarding incidents (44 U.S.C. § 3554):

  • A description of each major incident, as defined in Section II of this Memorandum, including:
    • Threats and threat actors, vulnerabilities, and impacts;
    • Risk assessments conducted on the information system before the date of the major incident;
    • The status of compliance of the affected information system with security requirements at the time of the major incident; and
    • The detection, response, and remediation actions the agency has completed.
  • For each major incident that involved a breach of personally identifiable information (PII),2 the description must also include:
    • The number of individuals whose information was affected by the major incident; and
    • A description of the information that was compromised.
  • The total number of incidents, including a description of incidents resulting in significant compromise of information security, system impact levels, types of incidents, and locations of affected information systems3.

In addition to what is specified in 44 U.S.C. § 3554, agencies shall include information regarding incidents reported to US-CERT through the DHS US-CERT Incident Reporting System. Specifically, agencies should:

  • Document the number of incidents reported to DHS US-CERT within the FY; and
  • Explain any major trends continuing from previous years.

Finally, the letter must include the agency’s progress toward meeting FY 2017 FISMA metrics, to include the Cybersecurity Cross Agency Priority (CAP) Goal metrics established by OMB, DHS, and the CIO Council.

Agencies shall upload this letter to CyberScope as part of their annual reporting requirements. Agencies must submit this letter in order to complete their annual reporting package to OMB and may have their cover letters rejected if they fail to provide the required information.

FY 2016 - 2017 Privacy Management Requirements

As in previous years, Senior Agency Officials for Privacy (SAOPs) are required to report on an annual basis and must submit the following documents through CyberScope as part of the annual data submission:

  • A description of the agency’s compliance with the requirements in A-130 regarding privacy training for employees and contractors;
  • A progress update on the agency’s reduction of unnecessary holdings of PII, including the elimination of unnecessary uses of Social Security numbers;
  • The agency’s written policy or procedure for ensuring that any new collection or use of Social Security numbers is necessary;
  • A description of the agency’s efforts to comply with the privacy-related requirements in OMB M-16-04,4 including:
             - The number of agency information systems containing PII that have been identified by the agency as High Value Assets (HVAs);
            - For all information systems containing PII that have been identified as HVAs, whether the SAOP has reviewed each information system to determine whether it requires new or updated system of records notices (SORNs) and/or privacy impact assessments (PIAs);
            - Whether all HVAs containing PII that require SORNs and/or PIAs are covered by complete, up-to-date SORNs and/or PIAs; and
            - The number of SORNs and/or PIAs that were published or revised pursuant to the SAOP’s review of HVAs;

  • A memorandum describing the agency’s privacy program, including:
             - A description of the structure of the agency’s privacy program, including the role of the SAOP, the placement of the privacy program, and the resources the agency has dedicated to privacy-related functions;5
            - A discussion of changes made to the agency’s privacy program during the reporting period, including changes in leadership, staffing, structure, and organization, as well as any plans or strategies to make changes in the future;
            - Links to relevant publicly available documents and materials, including the policies, procedures, structure, roles, and responsibilities with respect to the agency’s privacy program and the agency’s creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII; and
            - Any other information that OMB should know regarding privacy-related functions performed at the agency.

Moving Forward: FY 2017 FISMA Reporting Timelines

Quarterly Reporting: Chief Financial Officer (CFO) Act agencies, are required to update their responses to FISMA questions and metrics, at a minimum, on a quarterly basis in accordance with the schedule below. Questions and metrics marked “CAP” in the FISMA guidance will be used in recurring OMB publications, such as the quarterly Cybersecurity CAP Goal Report published on

All agencies should update all FISMA questions and metrics as often as needed (i.e., more often than each quarter) to ensure agency leadership has useful, up-to-date information. Small agencies are encouraged, but not required, to report on these questions and metrics each quarter. Agencies should provide explanatory language in the optional comment field within CyberScope for any FISMA metric that does not meet established CAP goal targets or for which significant progress or impediments warrant,OMB’s attention or assistance.

All agencies that are participants in the President’s Management Council (PMC) Cybersecurity Assessment Process must report their quarterly PMC Cybersecurity Self Assessments in accordance with the schedule below.

*Quarter 1: no later than January 15, 2017,
*Quarter 2: no later than April 15, 2017,
*Quarter 3: no later than July 15, 2017,
*Quarter 4: FY 2017 Annual: no later than October 31, 2017.

Agency Inspectors General and SAOPs information is not required quarterly, but must be provided for the FY 2017 Annual Report to Congress. Although the information provided by the SAOPs is only required to be submitted to OMB on an annual basis, all agencies should update all FISMA questions and metrics as often as needed to ensure agency leadership has useful, up-to-date information.


2: Per A-130, ‘personally identifiable information’ refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

3: “Incident” means an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. 44 U.S.C. § 3552.

4: CSIP required agencies to identify HVAs that contain PII; recommend whether particular systems should be added to the agency’s list of HVAs; and review all HVAs containing PII to ensure that any SORNs and PIAs are current, accurately address risks to PII, and include any steps taken to mitigate those risks. See OMB Memorandum M-16- 04.

5: For the purposes of this memorandum, privacy-related functions include, but are not limited to, complying with all laws, regulations, and policies relating to privacy, as well as applying appropriate privacy standards and other best practices.

6: 31 U.S.C. § 901 (b), as amended